6 files changed, 109 insertions, 44 deletions

diff --git a/include/net/netfilter/ipv4/nf_conntrack_icmp.h b/include/net/netfilter/ipv4/nf_conntrack_icmp.h
deleted file mode 100644
index 3dd22cff23ec..000000000000
--- a/include/net/netfilter/ipv4/nf_conntrack_icmp.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _NF_CONNTRACK_ICMP_H
-#define _NF_CONNTRACK_ICMP_H
-/* ICMP tracking. */
-#include <asm/atomic.h>
-
-struct ip_ct_icmp
-{
-        /* Optimization: when number in == number out, forget immediately. */
-        atomic_t count;
-};
-#endif /* _NF_CONNTRACK_ICMP_H */
diff --git a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
index 86591afda29c..67edd50a398a 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
@@ -9,7 +9,6 @@
 
 #ifndef _NF_CONNTRACK_ICMPV6_H
 #define _NF_CONNTRACK_ICMPV6_H
-#include <asm/atomic.h>
 
 #ifndef ICMPV6_NI_QUERY
 #define ICMPV6_NI_QUERY 139
@@ -18,10 +17,4 @@
 #define ICMPV6_NI_REPLY 140
 #endif
 
-struct nf_ct_icmpv6
-{
-        /* Optimization: when number in == number out, forget immediately. */
-        atomic_t count;
-};
-
 #endif /* _NF_CONNTRACK_ICMPV6_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 6c3f964de9e1..ecc79f959076 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -23,7 +23,6 @@
 #include <linux/netfilter/nf_conntrack_dccp.h>
 #include <linux/netfilter/nf_conntrack_sctp.h>
 #include <linux/netfilter/nf_conntrack_proto_gre.h>
-#include <net/netfilter/ipv4/nf_conntrack_icmp.h>
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 
 #include <net/netfilter/nf_conntrack_tuple.h>
@@ -34,8 +33,6 @@ union nf_conntrack_proto {
         struct nf_ct_dccp dccp;
         struct ip_ct_sctp sctp;
         struct ip_ct_tcp tcp;
-        struct ip_ct_icmp icmp;
-        struct nf_ct_icmpv6 icmpv6;
         struct nf_ct_gre gre;
 };
 
@@ -96,6 +93,8 @@ struct nf_conn {
            plus 1 for any connection(s) we are `master' for */
         struct nf_conntrack ct_general;
 
+        spinlock_t lock;
+
         /* XXX should I move this to the tail ? - Y.K */
         /* These are my tuples; original and reply */
         struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
@@ -144,6 +143,8 @@ static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
         return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
 }
 
+#define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
+
 /* get master conntrack via master expectation */
 #define master_ct(conntr) (conntr->master)
 
@@ -201,7 +202,7 @@ __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);
 
 extern void nf_conntrack_hash_insert(struct nf_conn *ct);
 
-extern void nf_conntrack_flush(struct net *net, u32 pid, int report);
+extern void nf_conntrack_flush_report(struct net *net, u32 pid, int report);
 
 extern bool nf_ct_get_tuplepr(const struct sk_buff *skb,
                               unsigned int nhoff, u_int16_t l3num,
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 0ff0dc69ca4a..1afb907e015a 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -6,11 +6,55 @@
 #define _NF_CONNTRACK_ECACHE_H
 #include <net/netfilter/nf_conntrack.h>
 
-#include <linux/notifier.h>
 #include <linux/interrupt.h>
 #include <net/net_namespace.h>
 #include <net/netfilter/nf_conntrack_expect.h>
 
+/* Connection tracking event bits */
+enum ip_conntrack_events
+{
+        /* New conntrack */
+        IPCT_NEW_BIT = 0,
+        IPCT_NEW = (1 << IPCT_NEW_BIT),
+
+        /* Expected connection */
+        IPCT_RELATED_BIT = 1,
+        IPCT_RELATED = (1 << IPCT_RELATED_BIT),
+
+        /* Destroyed conntrack */
+        IPCT_DESTROY_BIT = 2,
+        IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
+
+        /* Status has changed */
+        IPCT_STATUS_BIT = 3,
+        IPCT_STATUS = (1 << IPCT_STATUS_BIT),
+
+        /* Update of protocol info */
+        IPCT_PROTOINFO_BIT = 4,
+        IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
+
+        /* New helper for conntrack */
+        IPCT_HELPER_BIT = 5,
+        IPCT_HELPER = (1 << IPCT_HELPER_BIT),
+
+        /* Mark is set */
+        IPCT_MARK_BIT = 6,
+        IPCT_MARK = (1 << IPCT_MARK_BIT),
+
+        /* NAT sequence adjustment */
+        IPCT_NATSEQADJ_BIT = 7,
+        IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
+
+        /* Secmark is set */
+        IPCT_SECMARK_BIT = 8,
+        IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
+};
+
+enum ip_conntrack_expect_events {
+        IPEXP_NEW_BIT = 0,
+        IPEXP_NEW = (1 << IPEXP_NEW_BIT),
+};
+
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 struct nf_conntrack_ecache {
         struct nf_conn *ct;
@@ -24,9 +68,13 @@ struct nf_ct_event {
         int report;
 };
 
-extern struct atomic_notifier_head nf_conntrack_chain;
-extern int nf_conntrack_register_notifier(struct notifier_block *nb);
-extern int nf_conntrack_unregister_notifier(struct notifier_block *nb);
+struct nf_ct_event_notifier {
+        int (*fcn)(unsigned int events, struct nf_ct_event *item);
+};
+
+extern struct nf_ct_event_notifier *nf_conntrack_event_cb;
+extern int nf_conntrack_register_notifier(struct nf_ct_event_notifier *nb);
+extern void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *nb);
 
 extern void nf_ct_deliver_cached_events(const struct nf_conn *ct);
 extern void __nf_ct_event_cache_init(struct nf_conn *ct);
@@ -52,13 +100,23 @@ nf_conntrack_event_report(enum ip_conntrack_events event,
                           u32 pid,
                           int report)
 {
-        struct nf_ct_event item = {
-                .ct     = ct,
-                .pid    = pid,
-                .report = report
-        };
-        if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
-                atomic_notifier_call_chain(&nf_conntrack_chain, event, &item);
+        struct nf_ct_event_notifier *notify;
+
+        rcu_read_lock();
+        notify = rcu_dereference(nf_conntrack_event_cb);
+        if (notify == NULL)
+                goto out_unlock;
+
+        if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) {
+                struct nf_ct_event item = {
+                        .ct     = ct,
+                        .pid    = pid,
+                        .report = report
+                };
+                notify->fcn(event, &item);
+        }
+out_unlock:
+        rcu_read_unlock();
 }
 
 static inline void
@@ -73,9 +131,13 @@ struct nf_exp_event {
         int report;
 };
 
-extern struct atomic_notifier_head nf_ct_expect_chain;
-extern int nf_ct_expect_register_notifier(struct notifier_block *nb);
-extern int nf_ct_expect_unregister_notifier(struct notifier_block *nb);
+struct nf_exp_event_notifier {
+        int (*fcn)(unsigned int events, struct nf_exp_event *item);
+};
+
+extern struct nf_exp_event_notifier *nf_expect_event_cb;
+extern int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *nb);
+extern void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *nb);
 
 static inline void
 nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
@@ -83,12 +145,23 @@ nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
                           u32 pid,
                           int report)
 {
-        struct nf_exp_event item = {
-                .exp    = exp,
-                .pid    = pid,
-                .report = report
-        };
-        atomic_notifier_call_chain(&nf_ct_expect_chain, event, &item);
+        struct nf_exp_event_notifier *notify;
+
+        rcu_read_lock();
+        notify = rcu_dereference(nf_expect_event_cb);
+        if (notify == NULL)
+                goto out_unlock;
+
+        {
+                struct nf_exp_event item = {
+                        .exp    = exp,
+                        .pid    = pid,
+                        .report = report
+                };
+                notify->fcn(event, &item);
+        }
+out_unlock:
+        rcu_read_unlock();
 }
 
 static inline void
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index ba32ed7bdabe..3767fb41e541 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -59,11 +59,11 @@ struct nf_conntrack_l4proto
                            const struct nf_conntrack_tuple *);
 
         /* Print out the private part of the conntrack. */
-        int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
+        int (*print_conntrack)(struct seq_file *s, struct nf_conn *);
 
         /* convert protoinfo to nfnetink attributes */
         int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,
-                         const struct nf_conn *ct);
+                         struct nf_conn *ct);
         /* Calculate protoinfo nlattr size */
         int (*nlattr_size)(void);
 
diff --git a/include/net/netlink.h b/include/net/netlink.h
index eddb50289d6d..007bdb07dabb 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -940,6 +940,15 @@ static inline u64 nla_get_u64(const struct nlattr *nla)
 }
 
 /**
+ * nla_get_be64 - return payload of __be64 attribute
+ * @nla: __be64 netlink attribute
+ */
+static inline __be64 nla_get_be64(const struct nlattr *nla)
+{
+        return *(__be64 *) nla_data(nla);
+}
+
+/**
  * nla_get_flag - return payload of flag attribute
  * @nla: flag netlink attribute
  */